No Business Associate Agreement? A $31,000 Mistake.

On April 20, 2017, the Office for Civil Rights (OCR) announced that the Center for Children’s Digestive Health (CCDH) paid $31,000 to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy rule. The settlement was initiated as a part of a compliance review following an investigation of a business associate, FileFax, Inc. FileFax stored records containing protected health information (PHI) for CCDH.

The investigation by the OCR revealed that the parties began sharing PHI since 2003 but neither party could produce a signed Business Associate Agreement (BAA) prior to October 2015.

The OCR has been reinforcing BAA requirements and has issued settlements with providers totaling $23 million in 2016. The Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) paid $650,000 as a settlement in 2016 as a result of lacking necessary BAAs. CHCS provided services to six skilled nursing facilities and the OCR received notification from each facility that a mobile device was stolen, potentially compromising 412 individuals' information. CHCS was found to have lacked the necessary BAA and did not conduct an accurate and thorough risk assessment of the potential risks and vulnerabilities of electronic protected health information (ePHI).

A BAA is not optional under HIPAA rules and regulations. If you have a vendor who performs certain functions involving PHI/ePHI you must have a signed BAA in place to comply with the requirements under OCR.